revengerat | 59af63a2492f69fde69c4cbe15622e422c9d46b517e08a363aa37f0a15e2bf0f

Analysis

max time kernel
94s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

646KB
MD5

16b65da3e4b40c5d13c7c682deea2db1
SHA1

656bc78fbba8606afcad2dc38b7fa69d59f7a85a
SHA256

3be9008d57075c94568bf85423b88b071e6bd2eaeb85399d9bae516d1a8c62f2
SHA512

d0425c0d00e720d63be4136b6139a108ff6b23bbb3136d472e3d9e3a4c06083ba98ec246645c5a3e32b89910dc161883320d3afca7a4c33c6902fbeb1f9f1839
SSDEEP

12288:lJxJDu5hJdbv+BygQZ2eHF04+KMoeMb01JQntLOCC6+V:zzu5hJdbHZ2eXpemC6+

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral6/files/0x000e000000023b18-28.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
4696	Tria Sistema Operatiu.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\tria..tion_0000000000000000_0002.0007_none_0ed879c771cc84f7\lock!04000000dcc3570ef4100000a00600000000000000000000 = 30303030313066342c30316462333134346562646635383431	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	Tria Sistema Operatiu.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\tria..tion_0000000000000000_0002.0007_none_0ed879c771cc84f7\lock!06000000f6c4570e58120000180a00000000000000000000 = 30303030313235382c30316462333134346630303462616665	Tria Sistema Operatiu.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gi_tria..tion_0000000000000000_8f927d096bf65991	Tria Sistema Operatiu.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\tria...exe_0000000000000000_0002.0007_none_1a85b012304683cc\lock!06000000dcc3570ef4100000a00600000000000000000000 = 30303030313066342c30316462333134346562646635383431	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\tria..tion_0000000000000000_0002.0007_a2e7fc46be9deb2d	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility\tria..tion_0000000000000000_0002.0007_none_0ed879c771cc84f7	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\tria..tion_00000000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility\tria...exe_0000000000000000_0002.0007_none_1a85b012304683cc\identity = 547269612053697374656d61204f706572617469752e6578652c2056657273696f6e3d322e372e332e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d303030303030303030303030303030302c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\tria..tion_0000000000000000_0002.0007_00ce4c9c1a57bb4b\reference!S_{3f471841-eef2-47d6-89c0-d028f03a4ad5}	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_tria..tion_0000000000000000_6f535fc400025c13	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\tria...exe_0000000000000000_0002.0007_none_1a85b012304683cc\lock!04000000f6c4570e58120000180a00000000000000000000 = 30303030313235382c30316462333134346630303462616665	Tria Sistema Operatiu.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\tria...exe_0000000000000000_0002.0007_none_1a85b012304683cc\lock!08000000f6c4570e58120000180a00000000000000000000 = 30303030313235382c30316462333134346630303462616665	Tria Sistema Operatiu.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\tria..tion_0000000000000000_0002.0007_00ce4c9c1a57bb4b	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\tria..tion_0000000000000000_0002.0007_a2e7fc46be9deb2d\tria...exe_0000000000000000_0002.0007_none_1a85b01230 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\tria...exe_0000000000000000_0002.0007_none_1a85b012304683cc	Tria Sistema Operatiu.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\tria..tion_00000000000000 = 30000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\tria...exe_0000000000000000_0002.0007_none_1a85b012304683cc\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\tria..tion_0000000000000000_0002.0007_a2e7fc46be9deb2d\tria..atiu_none_0002.0007_none_3033abfe2d34c8b2\Files = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	Tria Sistema Operatiu.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\tria..tion_0000000000000000_0002.0007_a2e7fc46be9deb2d\appid = 66696c653a2f2f2f433a2f55736572732f41646d696e2f417070446174612f4c6f63616c2f54656d702f5472696125323053697374656d612532304f706572617469752e6170706c69636174696f6e23547269612053697374656d61204f706572617469752e6170706c69636174696f6e2c2056657273696f6e3d322e372e332e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d303030303030303030303030303030302c2070726f636573736f724172636869746563747572653d6d73696c2f547269612053697374656d61204f706572617469752e6578652c2056657273696f6e3d322e372e332e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d303030303030303030303030303030302c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility\tria..tion_0000000000000000_0002.0007_none_0ed879c771cc84f7\identity = 547269612053697374656d61204f706572617469752e6170706c69636174696f6e2c2056657273696f6e3d322e372e332e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d303030303030303030303030303030302c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\tria..tion_0000000000000000_0002.0007_none_0ed879c771cc84f7	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	Tria Sistema Operatiu.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility\tria..tion_0000000000000000_0002.0007_none_0ed879c771cc84f7\Applications	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\tria...exe_0000000000000000_0002.0007_none_1a85b012304683cc\implication!tria..tion_0000000000000000_0002.0007_00c = 66696c653a2f2f2f433a2f55736572732f41646d696e2f417070446174612f4c6f63616c2f54656d702f5472696125323053697374656d612532304f706572617469752e6170706c69636174696f6e23547269612053697374656d61204f706572617469752e6170706c69636174696f6e2c2056657273696f6e3d322e372e332e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d303030303030303030303030303030302c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "MTLGZCMVX9B421ZB8RL61WGG"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\tria...exe_0000000000000000_0002.0007_none_1a85b012304683cc	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\tria..tion_00000000000000 = 660069006c0065003a002f002f002f0043003a002f00550073006500720073002f00410064006d0069006e002f0041007000700044006100740061002f004c006f00630061006c002f00540065006d0070002f005400720069006100250032003000530069007300740065006d0061002500320030004f0070006500720061007400690075002e006100700070006c00690063006100740069006f006e000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\tria..tion_00000000000000 = 30003000300031002f00300031002f00300031002000300030003a00300030003a00300030000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\tria...exe_0000000000000000_0002.0007_none_1a85b012304683cc\Files\Linux-Windows.ico_50a903172f2e8fc5 = 01	dfsvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\OnlineAppQuotaUsageEstimate = "0"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	Tria Sistema Operatiu.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\tria..tion_0000000000000000_0002.0007_a2e7fc46be9deb2d	Tria Sistema Operatiu.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\NonCanonicalData	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	Tria Sistema Operatiu.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gi_tria..tion_0000000000000000_8f927d096bf65991\LastRunVersion = 66696c653a2f2f2f433a2f55736572732f41646d696e2f417070446174612f4c6f63616c2f54656d702f5472696125323053697374656d612532304f706572617469752e6170706c69636174696f6e23547269612053697374656d61204f706572617469752e6170706c69636174696f6e2c2056657273696f6e3d322e372e332e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d303030303030303030303030303030302c2070726f636573736f724172636869746563747572653d6d73696c2f547269612053697374656d61204f706572617469752e6578652c2056657273696f6e3d322e372e332e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d303030303030303030303030303030302c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	Tria Sistema Operatiu.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\tria..tion_0000000000000000_0002.0007_none_0ed879c771cc84f7\identity = 547269612053697374656d61204f706572617469752e6170706c69636174696f6e2c2056657273696f6e3d322e372e332e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d303030303030303030303030303030302c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft	Tria Sistema Operatiu.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\tria..tion_00000000000000 = 32003000320034002f00310031002f00300037002000310038003a00340033003a00320038000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\tria..tion_00000000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\tria..tion_00000000000000 = 54007200750065000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\tria..tion_0000000000000000_0002.0007_none_0ed879c771cc84f7\SizeOfStronglyNamedComponent = 061b000000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\tria..tion_0000000000000000_0002.0007_a2e7fc46be9deb2d\PreparedForExecution = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows	Tria Sistema Operatiu.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gc_tria..tion_6f535fc400025c13\LastRunVersion = 66696c653a2f2f2f433a2f55736572732f41646d696e2f417070446174612f4c6f63616c2f54656d702f5472696125323053697374656d612532304f706572617469752e6170706c69636174696f6e23547269612053697374656d61204f706572617469752e6170706c69636174696f6e2c2056657273696f6e3d322e372e332e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d303030303030303030303030303030302c2070726f636573736f724172636869746563747572653d6d73696c2f547269612053697374656d61204f706572617469752e6578652c2056657273696f6e3d322e372e332e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d303030303030303030303030303030302c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	Tria Sistema Operatiu.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility\tria...exe_0000000000000000_0002.0007_none_1a85b012304683cc	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\tria...exe_0000000000000000_0002.0007_none_1a85b012304683cc\identity = 547269612053697374656d61204f706572617469752e6578652c2056657273696f6e3d322e372e332e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d303030303030303030303030303030302c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Categories	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\tria..tion_0000000000000000_0002.0007_a2e7fc46be9deb2d\implication!tria..tion_0000000000000000_0002.0007_00ce4c9c = 66696c653a2f2f2f433a2f55736572732f41646d696e2f417070446174612f4c6f63616c2f54656d702f5472696125323053697374656d612532304f706572617469752e6170706c69636174696f6e23547269612053697374656d61204f706572617469752e6170706c69636174696f6e2c2056657273696f6e3d322e372e332e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d303030303030303030303030303030302c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\tria...exe_0000000000000000_0002.0007_none_1a85b012304683cc\DigestValue = a49ff5c95c7a80a596a4b1247dd35c8e5fecffd5e996870c0f6888346c301adc	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\tria...exe_0000000000000000_0002.0007_none_1a85b012304683cc\Transform = 01	dfsvc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4340	dfsvc.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 4340	1644	setup.exe	85
PID 1644 wrote to memory of 4340	1644	setup.exe	85
PID 4340 wrote to memory of 4696	4340	dfsvc.exe	92
PID 4340 wrote to memory of 4696	4340	dfsvc.exe	92
PID 4340 wrote to memory of 4696	4340	dfsvc.exe	92

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Users\Admin\AppData\Local\Apps\2.0\LH0K7ARO.9VW\NQODGZBT.0O0\tria..tion_0000000000000000_0002.0007_a2e7fc46be9deb2d\Tria Sistema Operatiu.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\LH0K7ARO.9VW\NQODGZBT.0O0\tria..tion_0000000000000000_0002.0007_a2e7fc46be9deb2d\Tria Sistema Operatiu.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Apps\2.0\LH0K7ARO.9VW\NQODGZBT.0O0\manifests\tria...exe_0000000000000000_0002.0007_none_1a85b012304683cc.cdf-ms

Filesize
8KB

MD5
9dcc04e874746d2386b7a555910f7593

SHA1
574aba85723cf3c391618de435bb106cd21d6855

SHA256
d25afebd0a7808964dd0c73014bf8dd039ecf1b49f6b14222c8daf6203c6022d

SHA512
2fe59d143c39e21e4e8d3dc2cc57450e2ad3d06ae91a640b5f780bff28a5db0653a5d5925f0d4f1809b0ad2145eae9f29d4d0d828aaf14046515560d78c4f697

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\LH0K7ARO.9VW\NQODGZBT.0O0\manifests\tria..tion_0000000000000000_0002.0007_none_0ed879c771cc84f7.cdf-ms

Filesize
4KB

MD5
c5efa96d265cbccf4d7f26e0ef9aa81e

SHA1
fd0b1a59b3258cad001f11bf440d2d6015bc007a

SHA256
904685541956732cf430f047720a64099094bc80fa780ab97ec22bd00e076253

SHA512
cec1e9730a6ed163a7ff4ce5e2542c50a7a507a5de60e8e34564d3ac56b67471c25811c2d006c3dd23f2ba0cfcdd1b0595564f7a38e5f0499c06c4374f89043d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5A4QLWEJ.9XK\JMXLLJP1.Z0B\Linux-Windows.ico

Filesize
130KB

MD5
2d835d3f7b1764b5ce4332bcc93a8982

SHA1
987207b85f90e15c9d1b0f250ed4eadb189991c4

SHA256
75f7c3e5464c6fca5d9fd48e30aa8cd722024113b3c9102fc88c50a6c05acbec

SHA512
059777b2d98efb90bad33bd1e39478610f7a219a94aec4d74ba65983fc24b26e3df7b1b3e0d4285b9f6b23b4ec04503e948219a2d9b900e07d810864bf242936

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5A4QLWEJ.9XK\JMXLLJP1.Z0B\Tria Sistema Operatiu.exe

Filesize
1.2MB

MD5
2817510471e8373c3e1fd06818ee25c0

SHA1
c4fe0a8a22c52bb94079649baaf488fc062320d5

SHA256
abd62567e6f93dc87565879152f407c6dff81ff735f5aa23c9abdd54d08da8e7

SHA512
73cdd4b1af676614d24b47ec2ed6757cb1eb83b804e4740464f1581028451b9dc989c04a52d5fba97453a54075e4357b5b90d90dc60dff003bc099ac7979632d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5A4QLWEJ.9XK\JMXLLJP1.Z0B\Tria Sistema Operatiu.exe.config

Filesize
1KB

MD5
3be13b7a3b2cd64ea8a2b3427ac374b7

SHA1
496e05f5a46679c2ba06e133792b85b4f9627b59

SHA256
8abfaae86698b91d741be0bd29390e3db994ff28c926453c959a06954d1e67ec

SHA512
10ff64228d63aace1cfae94ee9cf885cba4e98abb429809369d4b2358ddcd3ada9d1f3003e8589382d451c200310bb2ebcb6864ab32e42f0d14d8fde3626d249

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5A4QLWEJ.9XK\JMXLLJP1.Z0B\Tria Sistema Operatiu.exe.manifest

Filesize
5KB

MD5
f1735af23ad1c08309c1b8782a676b14

SHA1
0741d38fedc16cb99d0496c056447393b78d74a3

SHA256
a49ff5c95c7a80a596a4b1247dd35c8e5fecffd5e996870c0f6888346c301adc

SHA512
28d42306e6200ae931c598dc16d27e0cdecab2b84158c0b6ccf73f40bd8a47ba60647100fbfae918c392c0378858c656dce487cb8b59ad572330209c57a62eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5A4QLWEJ.9XK\JMXLLJP1.Z0B\Tria Sistema Operatiu.xml

Filesize
1KB

MD5
f5b862c6ef241f14deadb2f60ffe5d38

SHA1
be75354065765e02bb1e651dfb35900c43bc17e4

SHA256
7750ef9072fbf7a075d136ef7443fb1e338eb776e1db58d5399d7e1ea14354a3

SHA512
31741d3b4fc4d5e3d29a056d36d0e3a86f346d637f054a56660995a87e9ae7c3eefcbdda17e9ef0536b50c531a70c3f2bcbea861fb90bd26ec814ae8f475c07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\E81013O6.XEJ\4AB3LT2R.OLV.application

Filesize
2KB

MD5
914d18b77523a7fc758f05afbcb72778

SHA1
70cc2032b637317d7fc896eeb2d722c01d4f5693

SHA256
12105153d5025d70e01449f88884aacb5fd00e1c8e9486952590125dd7d418e1

SHA512
f0699d071542cdc96ac94bad941089d2005a1c17e63e2e2b2916b4d11322e04ac81c6ff3e5f87f6623dfa55059d08ee4e3f29cd9aaef7d67a3d8c8f309fc6769

Download Submit
memory/4340-4-0x00007FFC0D880000-0x00007FFC0E341000-memory.dmp

Filesize
10.8MB

Download
memory/4340-26-0x00000128A8DB0000-0x00000128A8EE8000-memory.dmp

Filesize
1.2MB

Download
memory/4340-14-0x00000128A8AE0000-0x00000128A8B30000-memory.dmp

Filesize
320KB

Download
memory/4340-11-0x00007FFC0D880000-0x00007FFC0E341000-memory.dmp

Filesize
10.8MB

Download
memory/4340-0-0x00007FFC0D883000-0x00007FFC0D885000-memory.dmp

Filesize
8KB

Download
memory/4340-15-0x00007FFC0D880000-0x00007FFC0E341000-memory.dmp

Filesize
10.8MB

Download
memory/4340-2-0x00000128A5230000-0x00000128A53B6000-memory.dmp

Filesize
1.5MB

Download
memory/4340-1-0x000001288AB20000-0x000001288AB28000-memory.dmp

Filesize
32KB

Download
memory/4340-127-0x00007FFC0D883000-0x00007FFC0D885000-memory.dmp

Filesize
8KB

Download
memory/4340-128-0x00007FFC0D880000-0x00007FFC0E341000-memory.dmp

Filesize
10.8MB

Download
memory/4696-125-0x000001FE1B340000-0x000001FE1B478000-memory.dmp

Filesize
1.2MB

Download